Best way to use verify signed Docker images

We’re planning to sign all Docker images before pushing them to our Registry either using Docker Content Trust + Notary or using Cosign (GitHub - sigstore/cosign: Container Signing).

However, this only solves one-half of the Security Supply Chain picture; we’d like to verify the image’s signature at runtime on Nomad.

What’s the best way to accomplish this? I didn’t see anything in the Docker driver documentation. Is there a way to add a pre or post-hook to pulling the docker image to add a step to verify the digital signature on it? Is there any support for validating the integrity of Docker images?

Hi @brianluong,

this is AFAIK not something which needs to be specifically defined in Nomad. You could try to setting DOCKER_CONTENT_TRUST=1 as environment variable on each node, e.g. in /etc/systemd/system/docker.service.d/override.conf:

[Service]
Environment=DOCKER_CONTENT_TRUST=1

If you’re using Docker Enterprise Edition, you can configure content trust in /etc/docker/daemon.json as well:

{
    "content-trust": {
        "mode": "enforced"
    }
}

On the other hand … maybe it’s not a good idea to rely on Docker Content Trust, at least for public images from Docker Hub. Looks like many of the current images are not signed (at least not the latest versions):